changeset 5405 | c8d04ac200fc |
parent 5404 | 71766a4a7322 |
child 5406 | fbf3ede7541b |
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:14:22 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:20:55 2023 +0200 @@ -754,7 +754,7 @@ end local client_uri = url.parse(client_metadata.client_uri); - if not client_uri or client_uri.scheme ~= "https" then + if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); end